Triggered in-band operations, administration, and maintenance in a network environment
US-2017111209-A1 · Apr 20, 2017 · US
System and method of verifying network communication paths between applications and services
US10904240B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10904240-B2 |
| Application number | US-201916705652-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 6, 2019 |
| Priority date | Oct 23, 2018 |
| Publication date | Jan 26, 2021 |
| Grant date | Jan 26, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Disclosed are concepts for provided for managing application traffic. A method includes receiving a request to access a service from an application, confirming an entity of a user of the application and, based on the confirmation, generating, via an authentication service, a routing policy for data flows between the application and the service. The routing policy defines a mandated path between the application and the service. The method also can include storing proof-of-transit data in the traffic flow for tracking an actual path from the application to the service and determining whether the data path complies with the mandated path defined in the policy. When the determination indicates that the actual path followed the mandated path defined in the routing policy, the method includes granting access to the user for the service. When the actual path differs from the mandated path, the method includes denying access to the user.
First claim
Opening claim text (preview).
We claim: 1. A method comprising: generating a routing policy for data flows between a client application on a client device and a network-based service, wherein the routing policy defines a mandated data flow path between the client application, through a network and to the network-based service for a data flow and comprises one of a first routing policy of not verifying the data flow and a second routing policy in which the data flow is verified and tracked from node to node between the client application and the network-based service; determining whether the actual data flow path for a data flow between the client application and the network-based service complies with the mandated data flow path defined in the routing policy; granting, in response to a positive result of the determining, access to a user for the network-based service; and denying, in response to a positive result of the determining, access to the user for the network-based service. 2. The method of claim 1 , wherein the routing policy is dynamic. 3. The method of claim 1 , wherein the routing policy is applied to the user according to a user credential. 4. The method of claim 1 , wherein generating the routing policy further comprises: selecting the routing policy from a plurality of routing policies according to a characteristic of the user. 5. The method of claim 1 , wherein a credential associated with the user of the client application is applied to an application service session which enables the client application to access the network-based service through the mandated data flow path. 6. The method of claim 1 , wherein the mandated data flow path comprises using one or more of a way-point, an in-line service, a router, and a network node. 7. A system comprising: a processor; and a non-transitory computer-readable media storing instructions which, when executed by the processor, cause the processor to perform operations comprising: generating a routing policy for data flows between a client application on a client device and a network-based service, wherein the routing policy defines a mandated data flow path between the client application, through a network and to the network-based service for a data flow and comprises one of a first routing policy of not verifying the data flow and a second routing policy in which the data flow is verified and tracked from node to node between the client application and the network-based service; determining whether the actual data flow path for a data flow between the client application and the network-based service complies with the mandated data flow path defined in the routing policy; granting, in response to a positive result of the determining, access to a user for the network-based service; and denying, in response to a positive result of the determining, access to the user for the network-based service. 8. The system of claim 7 , wherein the routing policy is dynamic. 9. The system of claim 7 , wherein the routing policy is applied to the user according to a user credential. 10. The system of claim 7 , wherein generating the routing policy further comprises: selecting the routing policy from a plurality of routing policies according to a characteristic of the user. 11. The system of claim 7 , wherein a credential associated with the user of the client application is applied to an application service session which enables the client application to access the network-based service through the mandated data flow path. 12. The system of claim 7 , wherein the mandated data flow path comprises using one or more of a way-point, an in-line service, a router, and a network node. 13. A non-transitory computer-readable media storing instructions which, when executed by a system cause the system to perform operations comprising: generating a routing policy for data flows between a client application on a client device and a network-based service, wherein the routing policy defines a mandated data flow path between the client application, through a network and to the network-based service for a data flow and comprises one of a first routing policy of not verifying the data flow and a second routing policy in which the data flow is verified and tracked from node to node between the client application and the network-based service; determining whether the actual data flow path for a data flow between the client application and the network-based service complies with the mandated data flow path defined in the routing policy; granting, in response to a positive result of the determining, access to a user for the network-based service; and denying, in response to a positive result of the determining, access to the user for the network-based service. 14. The media of claim 13 , wherein the routing policy is dynamic. 15. The media of claim 13 , wherein the routing policy is applied to the user according to a user credential. 16. The media of claim 13 , wherein generating the routing policy further comprises: selecting the routing policy from a plurality of routing policies according to a characteristic of the user. 17. The media of claim 13 , wherein a credential associated with the user of the client application is applied to an application service session which enables the client application to access the network-based service through the mandated data flow path. 18. The method of claim 1 , wherein proof-of-transit data is embedded in the data flow and the proof-of-transit data is used in the determining. 19. The system of claim 7 , wherein proof-of-transit data is embedded in the data flow and the proof-of-transit data is used in the determining. 20. The media of claim 13 , wherein proof-of-transit data is embedded in the data flow and the proof-of-transit data is used in the determining.
Assignees
Inventors
Classifications
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Route determination based on user's profile, e.g. premium users · CPC title
at the transport layer · CPC title
Virtual private networks · CPC title
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10904240B2 cover?
- Disclosed are concepts for provided for managing application traffic. A method includes receiving a request to access a service from an application, confirming an entity of a user of the application and, based on the confirmation, generating, via an authentication service, a routing policy for data flows between the application and the service. The routing policy defines a mandated path between…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 26 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).